If you think you’re immune to phishing attempts, you’re wrong!
Security consultant Troy Hunt, the creator of the Have I Been Pwned (HIBP) service, has revealed that he got tricked by a clever phishing email, and that the attacker gained access to his Mailchimp account and stole a list of email addresses of his newsletter subscribers.
Commendably, he added the compromised data – email and IP addresses, rough geolocation data – to HIBP, so that users may check whether theirs is included or get notified if they subscribed to the notification service.
The Mailchimp phishing attack
The phishing email, which some of the Help Net Security staff also received, employs Mailchimp branding, and urges recipients to review their recent activity because their “account’s sending privileges have been restricted due to a spam complaint.”
The phishing email (Source: Help Net Security)
The email does not address the recipient by name and the email address from which it was sent does not look like it might belong to Mailchimp (hr@group-f.be) but, as he explained:
- He was jet-lagged and tired
- Outlook on iOS, which he initially used to read the email, did not render the email address, just the spoofed sender name (“MailChimp Account Services”)
- The phishing email triggered “just the right amount of urgency”
- The phishing email was sent to the email address he uses for logging into the Mailchimp account.
Unfortunately, he was also not alarmed when 1Password, his password manager of choice, did not fill in his Mailchimp account credentials into the phishing site, “as there are so many services where you’ve registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain.”
Finally, he lamented the fact that Mailchimp doesn’t offer phishing-resistant 2FA. The only two options for receiving the second authentication factor (i.e., a one-time passcode, aka OTP) are via SMS or via a 2-factor authenticator app on one’s mobile device – and he entered that into the phishing site, as well.
“By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it’s entered,” he said.
“Using a U2F key on really important stuff (like my domain registrar) highlights the value of this form of auth. Today’s phish could not have happened against this account, nor the other critical ones using a phishing resistant second factor and we need to collectively push orgs in this direction.”
A teaching moment
Even though Hunt realized something was wrong almost immediately after he entered the login/authentication into the phishing site, logged onto the official Mailchimp site and changed his account password, the attacker managed to export his mailing list, which means that the attack was highly automated.
That’s an unfortunate reality we all need to deal with, but it’s unfortunate that online services are slow to implement protective measures – in this case, controls to prevent replay attacks – to counter known attack trends.
The public disclosure of Hunt’s failure should be used as proof that no amount of helpful tips and training can result in users being completely immune to phishers’ tricks.
Such training should not be ignored, but the right technology – e.g., good anti-phishing email filters, better user interface choices, more secure 2FA options, etc. – is also a big factor in preventing these attacks.